From dcb25e4985f3d893a63cf77e20823360cb356225 Mon Sep 17 00:00:00 2001
From: Marko Paulic <marko.paulic@gmail.com>
Date: Mon, 23 Sep 2024 16:00:06 +0200
Subject: [PATCH] Update docs (#20)

Co-authored-by: Marko Paulic <m.paulic@reply.de>
---
 README.md                                     | 30 ++++++++++++++++++-
 ansible/README.md                             |  4 ++-
 images/docker/image-factory-runner/Dockerfile | 10 -------
 images/packer/Readme.md                       | 25 ++++++++++++++++
 .../image-factory-vm/scripts/setup-vm.sh      |  8 +----
 images/packer/user-packer/scripts/setup-vm.sh |  3 --
 6 files changed, 58 insertions(+), 22 deletions(-)
 create mode 100644 images/packer/Readme.md
 delete mode 100644 images/packer/user-packer/scripts/setup-vm.sh

diff --git a/README.md b/README.md
index 063bb417..608168e2 100644
--- a/README.md
+++ b/README.md
@@ -137,4 +137,32 @@ The [`reusable-workflow-packer-image.yml`](./.github/workflows/reusable-workflow
 
 ### Example User Repository
 
-An example user repository that demonstrates how to call these reusable workflows can be found [here](https://github.com/comsysto/wp10-image-factory-user).
+An example user repository that demonstrates how to call these reusable workflows can be found [here](https://github.com/comsysto/wp10-image-factory-user-1).
+
+## GitHub Action Runners
+
+### Multi-target architecture
+
+Our infrastructure now supports the production of both arm64 and amd64 container images. This enhancement has been achieved by enabling multi-architecture support on our Image Factory GitHub Actions runners.
+
+The following commands were executed to facilitate this capability:
+
+```bash
+sudo update-binfmts --enable qemu-aarch64
+sudo update-binfmts --enable qemu-arm
+```
+
+By enabling these QEMU interpreters, our CI/CD pipeline can seamlessly handle and build container images for multiple architectures, empowering customers with greater flexibility and compatibility for their deployment needs.
+
+### Quality gate and SBOM generation
+
+Quality Gate Checking with Trivy helps us enforce quality gates automatically. This integration reduces the risk of deploying insecure or non-compliant images to production, maintaining high security.
+
+SBOM Generation with Trivy provides detailed visibility into the components, libraries, and dependencies within our Docker images. This transparency allows us to manage software components effectively, quickly identify and mitigate vulnerabilities, and ensure compliance with licensing and regulatory requirements.
+
+SBOM is generated in following formats:
+
+- CycloneDX
+- SPDX
+
+Each invocation of our reusable workflow generates and uploads the results to the GitHub Actions run. The output is consolidated into a file named image-scan-results.zip.
diff --git a/ansible/README.md b/ansible/README.md
index f905cec7..94527311 100644
--- a/ansible/README.md
+++ b/ansible/README.md
@@ -10,6 +10,8 @@ The main Ansible playbook [`configure-image-factory-vm.yml`](./configure-image-f
 
 The [`podman`](./roles/podman) role configures Podman on the runner host VM. It sets up necessary directories, templates configuration files and GitHub PAT, logs into the Azure Container Registry, pulls the runner image, and creates the runner container. It also generates a systemd unit file for the runner container, ensuring it is managed by systemd, which enables automatic restarts and ensures that the container starts on system boot.
 
+**Important Note:** Podman runner containers are currently rootless, but are still running with "--priviledged" flag. Further setup is needed in Ansible podman role to remove this flag.
+
 ## GitHub Workflow
 
 The Ansible playbook is executed through the GitHub Actions workflow [`ansible-configure-if-vm.yml`](../.github/workflows/ansible-configure-if-vm.yml). This workflow handles both development and air-gapped environments, and templates the necessary SSH keys and inventory files accordingly.
@@ -20,4 +22,4 @@ The Ansible playbook is executed through the GitHub Actions workflow [`ansible-c
 2. Template SSH Key and Inventory (based on the environment)
 3. Template Ansible Variables
 4. Install and Configure Ansible
-5. Run Ansible Playbook
\ No newline at end of file
+5. Run Ansible Playbook
diff --git a/images/docker/image-factory-runner/Dockerfile b/images/docker/image-factory-runner/Dockerfile
index 6e0e211f..c0a0ddca 100644
--- a/images/docker/image-factory-runner/Dockerfile
+++ b/images/docker/image-factory-runner/Dockerfile
@@ -33,16 +33,6 @@ RUN apt-get update -y && \
     wget && \
     apt-get clean && rm -rf /var/lib/apt/lists/*
 
-# # Create runner user
-# RUN mkdir -p ${USER_HOME} && \
-#     useradd -r -d ${USER_HOME} -s /sbin/nologin -c "GitHub Actions User" ${USER_NAME}
-
-# # Add podman configuration file(s) and permissions
-# ADD files/containers.conf ${USER_HOME}/.config/containers/containers.conf
-# ADD files/registries.conf ${USER_HOME}/.config/containers/registries.conf
-# RUN mkdir -p ${USER_HOME}/.local/share/containers && \
-#     chown -R ${USER_GROUP}:${USER_NAME} ${USER_HOME}
-
 # Create runner user and necessary directories
 RUN groupadd -r ${USER_GROUP} && \
     useradd -r -d ${USER_HOME} -s /sbin/nologin -g ${USER_GROUP} -c "GitHub Actions User" ${USER_NAME} && \
diff --git a/images/packer/Readme.md b/images/packer/Readme.md
new file mode 100644
index 00000000..ca3cba28
--- /dev/null
+++ b/images/packer/Readme.md
@@ -0,0 +1,25 @@
+# packer
+
+This directory contains 2 repositories:
+
+- image-factory-vm
+- user-packer
+
+Both directories are used to build VM images with Packer and store them in Azure Shared Image Gallery however there is difference in when one is used:
+
+## image-factory-vm
+
+This directory contains Packer scripts to build Image Factory VM which will host GitHub Actions runner.
+
+Produced VM image version is then used by Terraform module during deployment:
+
+- runner
+
+To trigger image rebuild following GitHub Actions Workflow needs to be executed:
+
+- Build Image Factory VM
+
+## user-packer
+
+This directory contains Packer scripts to build user VM images produced by Image Factory.
+These scripts are used whenever user calls reusable workflow: "Reusable workflow - build packer VM"
diff --git a/images/packer/image-factory-vm/scripts/setup-vm.sh b/images/packer/image-factory-vm/scripts/setup-vm.sh
index 00d7b5d5..de48590d 100644
--- a/images/packer/image-factory-vm/scripts/setup-vm.sh
+++ b/images/packer/image-factory-vm/scripts/setup-vm.sh
@@ -34,10 +34,4 @@ apt-get install --no-install-recommends -y \
 rm -rf /var/lib/apt/lists/*
 
 # Install Azure CLI
-curl -sL https://aka.ms/InstallAzureCLIDeb | bash
-
-# Set up Trivy repository and install Trivy
-wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -
-echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | tee -a /etc/apt/sources.list.d/trivy.list
-apt-get update
-apt-get install -y trivy
+curl -sL https://aka.ms/InstallAzureCLIDeb | bash
\ No newline at end of file
diff --git a/images/packer/user-packer/scripts/setup-vm.sh b/images/packer/user-packer/scripts/setup-vm.sh
deleted file mode 100644
index f8d231aa..00000000
--- a/images/packer/user-packer/scripts/setup-vm.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-
-echo "Hello"
\ No newline at end of file